ACL

  • 0
  • 1
  • Question
  • Updated 3 weeks ago
We don't allow non-company owned assets from connecting to our network, but have a need to allow a vendor to connect to our network for the purpose of managing our phone system. When we had our Cisco switches, I would allow access to that subnet but then block all RFC1819 addresses. I'm having trouble doing that with our new Summit switches. 

I used the following as a guide to build my configuration as such.

https://gtacknowledge.extremenetworks.com/articles/Solution/ACL-in-EXOS-to-allow-only-specific-traff...


entry PermitVendor {
if match all {
    destination-address 192.168.100.0/24 ;
}
then {
    permit  ;
}
}
entry DenyRFC1817 {
if match any {
    destination-address 192.168.0.0/16 ;
    destination-address 172.16.0.0/12 ;
    destination-address 10.0.0.0/8 ;
}
then {
    deny  ;
}
}



This policy doesn't work- there are 2 issues.

First, this policy doesn't pass muster because it has multiple destination-address statement. How can I use as few lines of code to achieve my goals of denying all private address communications.

Secondly, if I tell it to block 192.168.0.0/16 my permit policy from above doesn't work. It works if I deny to 192.168.200.0/24- I can only assume that I'm permitting the 192.168.100.0/24 but then immediately denying it with the 192.168.0.0/16...

Third, I didn't outline here but I need them to get to the Internet which means they need to use my internal DNS. So I need to create another rule that will allow port 53 traffic to my DNS hosts.

Thanks!
Photo of T Pitch

T Pitch

  • 170 Points 100 badge 2x thumb

Posted 3 weeks ago

  • 0
  • 1
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,486 Points 10k badge 2x thumb
For your first question, you'll need to split all the RFC 1918 subnets into separate entries. For example:
entry PermitVendor {
if {
    destination-address 192.168.100.0/24 ;
}
then {
    permit  ;
}
}
entry Deny192{
if {
    destination-address 192.168.0.0/16 ;
}
then {
    deny  ;
}
}
entry Deny172{
if {
    destination-address 172.16.0.0/12 ;
}
then {
    deny  ;
}
}
entry Deny10{
if {
    destination-address 10.0.0.0/8 ;
}
then {
    deny  ;
}
}

For your second question, it should work as long as you have the more specific permit before more general deny. The third point is the same, just make sure the port 53 permit is before the denies.


(Edited)
Photo of T Pitch

T Pitch

  • 170 Points 100 badge 2x thumb
Ok, I suspected as much. I've done this but noticed a few things. I can still ping devices on my 192.168.1.0/24 subnet and somehow DNS is still working while it is looking to servers in the 192.168.1.x subnet.

I've confirmed I can't get pull up web pages or even RDP into devices on the 192.168.1.x subnet. Why do some things seem to work without an implicit allow? I'd prefer nothing work without a deny.

I'm applying the this ACL to a specific port as an ingress (I also tried as egress just for the fun of it).

Side note (should anyone else come after me), I found this useful: https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/Python/IOStoPolicy

Thanks.